The Federal Trade Commission (FTC) in the US has finalised a settlement with SkyMed International over allegations that the emergency travel services provider failed to take reasonable steps to secure sensitive consumer information.
The Arizona-based company left unsecured a cloud database containing 130,000 records of its travel emergency membership plan. The information included members’ names, dates of birth, home addresses, health information and account numbers.
The FTC also alleged SkyMed deceived consumers by displaying a HIPAA Compliance seal on every page of its website, which gave the false impression that its privacy policies had been reviewed and met the security and privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA).
Under the settlement, SkyMed must send a notice to affected consumers detailing the information exposed by the data breach.
The company must also implement a comprehensive information security programme and obtain biennial assessments of it by a third party.
The settlement also prohibits SkyMed from misrepresenting how it secures personal data, the circumstances of and response to a data breach, and whether the company has been endorsed by or participates in any government-sponsored privacy or security programme.